Documentation :: Auth

Developer Account Auth

API Key and Secret

All API calls to face.com's REST API service must include your API Key and API Secret. Get yours here if you haven't already, and do not pass those to any 3rd party.

Domain Authentication Mode (secret-less)

If you're calling the face.com API directly from javascript/flash code, don't send your API secret. Instead make sure to enable domain Authentication in your application settings, and set the domain to the site from which you'll be calling the API from.

Note that a key for http://www.mydomain.com/ will only be accepted when the site is accessed using this address. It will not be accepted if the site is accessed by IP address (eg. http://10.1.2.3/) or by a hostname that is aliased to www.mydomain.com using a DNS CNAME record.

If you're using the face.com API for Flash and your key is not working, make sure the key is registered for the domain from which the SWF is being served, not for the domain on which the SWF is embedded.

Password Protected Tagging

In certain cases, you might want to limit access to tags.add, tags.save, and tags.remove calls to users with editorial permissions only. This can be easily done using some server-side coding, but if you're calling the face.com APIs directly (JS/Flash code), you may enable this option in your application settings and specify a password to use. When enabled, all calls to tags.add/save/remove must have specify the password in your application settings.

User Account Auth

The face.com REST API provides indexing for user of known social networks, currently facebook and twitter. While this is a great way to collaborate and contribute across all applications using this index, we're making sure this information is only used for friendly apps, and only allow access to friends. We enforce data access to this information based on the credentials of the currently signed-in user. Each call involving facebook or twitter users, also entails an API call to the underlying social network in order to verify access rights. In addition, we will not provide recognition services for users who block their photo tagging information, even if they are friends of the currently signed-in user.

Facebook Auth

You can tag and recognize facebook users, on any photo on the web.

We've implemented a 4th-party Facebook Connect scheme, here's how it works:

  1. As required by facebook - users interact with your site directly, through a dedicated Facebook Connect application.
  2. Register your facebook API key and secret with your face.com API key. You can do this by editing the settings of your face.com application(s) here.
  3. Pass user_auth information calling faces.recognize, faces.train, and all tagging methods:
    • fb_user - current facebook user ID
    • [Deprecated] fb_session - current facebook session which corresponds to the Facebook API key and Secret you provided upon application registration 
    • fb_oauth_token - facebook OAuth 2.0 access token, corresponds to the Facebook API key and Secret you provided upon application registration

We will perform basic validations to assure access to users photos according to facebook's privacy settings, and will support operations only on friends of current user. When tagging a user, you are required to notify the user through your selected channels (wall-to-wall, publisher, etc...). This is done for better user experience, privacy, and distribution of photos.

More on using facebook connect 4th party code

Twitter Auth

Although twitter is a mostly-public network, we still require that you pass username/password or OAuth information for tagging and recognition actions. We limit those calls to your friends (twitter users who follow you and you follow back).

When calling faces.recognize, faces.train, and tags.add/save/remove for twitter users, you must provide the user_auth field as follows:

  • OAuth: specify twitter_oauth_user, twitter_oauth_secret, twitter_oauth_token
  • User/Password: specify twitter_username and twitter_password

Private Namespace Auth

User Auth is not required for private namespace access. However, you must apply your own user protection as required by our terms